Policy statement for customers

Policy statement on the processing of customers' personal data

The personal data that may be processed from time to time in respect of the various purposes pursued by Ersel SIM include your personal particulars, contact information and anti-money laundering and risk profile. Processing shall be consistent with the criteria set out in the European Regulation on the processing of personal data, Reg. 2016/679/EU, in force since 25 May 2018 (hereinafter "GDPR"). According to the legislation concerned, data must be processed in accordance with the principles of fairness, lawfulness, transparency and protection of your privacy and rights.

2. Purposes of processing The personal data collected on a mandatory basis for the performance of the contract shall be processed without the need for consent from the data subject (pursuant to Article 6.1(b) GDPR) and shall be used for the following purposes: a) fulfilment of pre-contractual, contractual, tax or accounting obligations deriving from the relationship with the customer, and fulfilment of obligations under laws, regulations, Community legislation or measures by authorities (e.g., anti-money laundering legislation), compliance with orders from supervisory or control authorities and management of commercial relations, to the extent necessary to provide the requested service as effectively as possible;

b) obligations relating to the previous point intended to improve the service, such as data required for the management of the protected area accessible to the customer. Express consent shall be required for the other optional purposes such as:

c) marketing activities relating to financial and commercial products, customer retention activities and services that the data controller proposes or sponsors. The data subject is free to provide or refuse consent for this purpose. Refusal to provide such consent shall not prevent the relationship from being concluded or implemented.

3. Processing methods The personal data shall be processed by the data controller and duly appointed data processors in fair pursuit of the purposes set out in point 2), through the use of electronic systems and paper archives, subject to security measures suited to ensuring the privacy of the personal data and preventing undue access by unauthorised persons.Please be advised that the telephone calls whereby you submit instructions and/or orders shall be recorded on a magnetic medium in accordance with European MiFID II rules. The data controller shall not make use of automated processes, including profiling, to achieve the purposes set out in this policy statement.

4. Disclosure of dataThe personal data may be disclosed to parties belonging to the same group as the data controller and to duly appointed external parties responsible for performing activities on behalf of the data controller for the purposes of fulfilment of contractual obligations towards the customer. A list of such parties shall be provided to the customer upon request to the data controller in accordance with the instructions set out in point 7) of this policy statement. The data shall not be transferred to third countries or disseminated (e.g., via social networks, websites, etc.).

5. Length of processing The Data Controller shall process the personal data for the time required to achieve the purposes set out above, with the limit of 10 years from the termination of the relationship for the purposes set out in points 2) a) and b), and of two years from the termination of the relationship for the purposes set out in point 2) c), without prejudice to automatic renewal of the relationship.

6. Type of data processed Type of data processed: with regard to personal data concerning customers and potential customers: name, address, other personal identification information, tax code, identification details of other bank accounts (ABI and CAB codes, IBAN and account number), and data concerning the customer's family and personal situation, level of education and profession. The data controller may be forced by the circumstances to process particular data regarding the customer.

7. Data subjects' rights The data subject has the right to request that the data controller grant access to, rectify, delete and restrict processing of his or her personal data, as well as the rights to object to the processing of his or her data and to request data portability. Such requests may be submitted by e-mail, fax or registered letter indicating in the subject line “request from the data subject” and specifying the right that the data subject wishes to exercise (erasure, rectification, portability, to be forgotten), along with a valid standard or certified e-mail address to which to send the reply. The data controller, or person engaged by the data controller, shall fulfil the request within 30 days of when it is received. If the response is complex, the time required could be extended by an additional 30 days, subject to timely notification of the data subject. If you wish to exercise your rights, you may lodge a complaint with the competent supervisory authority, in Italy the National Privacy Authority, located at Palazzo Monte Citorio 121, Rome.

8. Data Protection Officer (DPO) The data controller has designated Tiziana Rossi, based in Turin, Piazza Solferino 11, as Data Protection Officer pursuant to Article 37 of Reg. 2016/679/EU. The deed of designation of the DPO is appended to the record of processing kept by the data controller.